b"<html>\n<title> - U.S. DEPARTMENT OF EDUCATION: INFORMATION SECURITY REVIEW</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n       U.S. DEPARTMENT OF EDUCATION: INFORMATION SECURITY REVIEW\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 17, 2015\n\n                               __________\n\n                           Serial No. 114-84\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                                  ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n22-383 PDF                     WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001                     \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY'' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                 David Rapallo, Minority Staff Director\n    Katie Bailey, Government Operations Subcommittee Staff Director\n                         Michael Flynn, Counsel\n                    Sharon Casey Deputy Chief Clerk\n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                    \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on November 17, 2015................................     1\n\n                               WITNESSES\n\nMr. Greg Wilshusen, Director, Information Security Issues, U.S. \n  Government Accountability Office\n    Oral Statement...............................................     7\n    Written Statement............................................     9\nMr. Kathleen S. Tighe, Inspector General, U.S. Department of \n  Education\n    Oral Statement...............................................    33\n    Written Statement............................................    35\nMr. Danny A. Harris, Chief Information Officer, U.S. Department \n  of Education\n    Oral Statement...............................................    46\n    Written Statement............................................    48\n\n                                APPENDIX\n\nRep. Connolly Opening Statement..................................    84\nDepartment of Education FITARA Implementation Scorecard..........    86\nFY2015 Cybersecurity Sprint Results..............................    87\n\n \n       U.S. DEPARTMENT OF EDUCATION: INFORMATION SECURITY REVIEW\n\n                              ----------                              \n\n\n                       Tuesday, November 17, 2015\n\n                  House of Representatives,\n      Committee on Oversight and Government Reform,\n                                           Washington, D.C.\n    The committee met, pursuant to call, at 10:01 a.m., in Room \n2154, Rayburn House Office Building, Hon. Jason Chaffetz \n[chairman of the committee] presiding.\n    Present: Representatives Chaffetz, Mica, Jordan, Walberg, \nAmash, Gosar, Gowdy, Massie, Meadows, Mulvaney, Buck, Walker, \nBlum, Hice, Carter, Grothman, Hurd, Palmer, Maloney, Clay, \nConnolly, Kelly, DeSaulnier, and Lujan Grisham.\n    Chairman Chaffetz. The Committee on Oversight and \nGovernment Reform will come to order. Without objection, the \nchair is authorized to declare a recess at any time.\n    We appreciate you joining us for our review of the United \nStates Department of Education: The Information Security \nReview.\n    And at this time I would like to yield to the gentleman \nfrom Texas, Mr. Hurd.\n    Mr. Hurd. Thank you, Chairman Chaffetz.\n    Today's hearing is an opportunity, an opportunity to start \nmanaging the cybersecurity vulnerabilities and risks that this \nnation faces every day.\n    I said it during the July hearing this committee held on \nthe data breach of the Office of Personnel Management. It is an \nundeniable fact that America is under constant attack. I am not \ntalking today about bombs dropping or missiles launching, but \nthe constant stream of cyber weapons aimed at our data.\n    The good news for this hearing, we are not talking about a \ndata breach today. But, Dr. Harris, I want my message to be \nheard loud and clear. You do not want to be before this \ncommittee explaining to the American people how you left a PII \nof the sons and daughters of millions of Americans vulnerable \nto hackers.\n    And it is important to realize that this is not a problem \nwithout solutions. The GAO and the inspector general have made \nrecommendations, not to mention the standards, policies, and \nprograms of OMB, DHS, and NIST. What I am trying to tell you is \nthat this is not an issue of technology. This is an issue of \nmanagement and leadership.\n    Dr. Harris, you are on the spot today but don't think you \nare being singled out. I have put and we have put Federal CIOs \nand agency heads on notice time and again. Whether it be on \nFITARA implementation, data privacy, encryption, or compliance \nwith Federal information security policies and practices, this \ncommittee will be watching. We are talking to the inspectors \ngeneral and reading their recommendations. Federal CIOs and \nagency heads need to be implementing the recommendations of the \nIGs and GAO or be able to explain to me and this committee why \nthey didn't.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman Chaffetz. I thank the gentleman. And I want to \njust kind of--let's stick to the facts here and go through some \nkey numbers and metrics because the liability, the \nvulnerability is enormous.\n    Roughly 17 years ago the liability to the taxpayers in this \ncategory--we are talking about the Department of Education. \nOutstanding student loans 17 years ago was roughly $150 \nbillion. Today, taxpayers are liable for roughly $1.18 \ntrillion, making the Department of Education essentially the \nsize of Citibank.\n    Most people don't realize how large and enormous of a \nfinancial institution the Department of Education is. There are \nroughly 40 million borrowers utilizing the Department of \nEducation as essentially their bank and financial institution.\n    This is an organization, the Department of Education, that \nspends some $683 million--spent $683 million this year on \ninformation technology.\n    [Slide.]\n    Chairman Chaffetz. But as we put up this slide, doing a \nself-assessment, if we can do the FITARA self-assessment, this \nis also an organization based on their self-assessment gets an \noverall ``F'' grade as it relates to IT. So we can look at data \ncenter consolidation, IT portfolio review savings, incremental \ndevelopment, and risk assessment transparency, earning it an \n``F''.\n    Chairman Chaffetz. You can take down that slide now.\n    This is a system that we are not necessarily--all the \nsystems are utilizing encryption. This is a department where \nthe OMB cyber sprint exercise--if you would put up the second \nslide.\n    [Slide.]\n    Chairman Chaffetz. OMB has engaged in the cyber sprint. It \nis one of, I believe, only four agencies in all of Federal \nGovernment where they scored a negative 14 percent, negative 14 \npercent. You can put down that slide. We can provide that \ninformation. It is very hard to read in that group.\n    Chairman Chaffetz. But one of four institutions where it \nactually scored negative on assessment of, say, dual \nauthentication. In fact, the inspector general went in and \nlooked at the Department of Education's IT operations, and the \nreport finds ``the department-wide information systems continue \nto be vulnerable to security threats.'' The inspector general \nmade 16 findings, 6 of which are repeat findings. The inspector \ngeneral made a total of 26 recommendations, 10 of which are \nrepeat recommendations.\n    So how big is the vulnerability? We talked about it in \nterms of dollars. Americans need to know that the Department of \nEducation holds roughly 139 million Social Security numbers in \nthe Central Processing System. But let's also remember that 139 \nmillion Social Security numbers isn't necessarily all of them \nbecause it does not include all the systems. That is just the \nCentral Processing System. It does not include information for \nparents who submitted information but whose children did not \nget aid. If your child applies for aid, you are going to have \nperhaps your mother's information, perhaps your father's \ninformation in there as well. That is also in the system and \npotentially very vulnerable.\n    The Central Processing System processes Federal aid \napplications at roughly 22 million of them per year. We have \nbeen talking a lot about the vulnerability of the Office of \nPersonnel Management, OPM, understanding the vulnerability \nwhere we believe it is 22 million. The vulnerability at the \nDepartment of Education, we are talking about a trillion \ndollars but we are also talking about over 130 million \nAmericans.\n    The Department has 184 information systems, 184. This is \njust the Department of Education. One hundred and twenty are \nrun by contractors, 29 are valued by OMB as high assets. But \none of the concerns that we have here is that the inspector \ngeneral also looked at what's called the COD, the Common \nOrigination and Disbursement system. It is deemed as a major \nsystem. It is what is actually the system used to disburse \nFederal student aid to students and borrowers. This year alone \nthere was roughly $109 billion in direct loans and $31 billion \nin Pells disbursed through the COD.\n    One of the fundamental problems that we have had here is \naccess to that information and allowing the inspector general \nto be able to go in and peak at the system, test and verify it. \nBut this is also a problem.\n    Another key system is the National Student Loan database, \nwhich houses significant borrower information. It is called the \nNSLDS, the National Student Loan database, has 97,000 accounts. \nThis is the people that have access to student loans. These are \nthe schools, the contractors. That is a lot of people being \nable to tap in and have access to this system.\n    But it is our understanding that only 5,000 of the 97,000 \nhave actually undergone a background check, which again begs \nthe question about allowing access to information that could be \npotentially vulnerable. It begs a lot of questions about \nsafety, security, and integrity of this system.\n    We are also going to hear--and we have a hearing today on \nthe Department of Education, but we also have hearings tomorrow \non the Department of Education. And part of what we are going \nto hear tomorrow is that Department of Education was \npotentially responsible for roughly $4 billion in improper \npayments, $4 billion.\n    So we go home, we talk to our constituents about roads, \nbridges, infrastructure, about getting more money in the \nclassroom. Utah has the lowest, lowest in the Nation. We are \nnot proud of it, lowest spending per pupil in the Nation, and \nyet the Department of Education sends out $4 billion in \nimproper payments. You know what a difference that would make \nin my classroom where we have got way too many kids in the \nclassroom?\n    I am just telling you, it has become a monster, an absolute \nmonster. We don't know who is in there. We don't know what they \nare doing. We know there are improper payments. And the \ninspector general, the person we trust the most to go in there \nand take a look at it can't even have access because there are \nso many contractors who say no, we are not going to let you \nlook in there; no, you can't see it. And that is a problem. \nThat is a problem that has got to change.\n    Chairman Chaffetz. So I have gone well past my time. There \nis lots to talk about over the next 2 days. This is going to be \na good, healthy hearing. I appreciate members' participation. \nThere are a lot of competing hearings. You are going to see \nmembers coming and going as the second day back, 10:00 a.m., \nthere are a lot of hearings going on. But this should be a good \nhearing.\n    And I now recognize the ranking member, Mr. Connolly, for \nhis opening statement.\n    Mr. Connolly. Thank you, Mr. Chairman. And thank you to our \npanelists for being with us today.\n    I appreciate the opportunity to examine the information \ntechnology and security programs and practices within the \nDepartment of Education and the Federal Student Aid program.\n    This department might not seem like an obvious target of \ncyber-related threats, but it is responsible for managing and \nsecuring student loan portfolios of more than $1 trillion, as \nyou indicated, Mr. Chairman, along with the personal \ninformation of more than 50 million students between Federal \nloan borrowers, Pell Grant recipients, and other assistance \nprograms. And as you indicated, Mr. Chairman, that may be the \ntip of the iceberg when one looks at over 130 million Social \nSecurity numbers available to the Department.\n    In the wake of two massive data breaches disclosed by the \nOffice of Personnel Management earlier this year, which \ncollectively put at risk the personal information of more than \n28 million current and former Federal employees and their \nfamilies, including Members of Congress like myself, every \nFederal agency ought to be reassessing its own information \nsecurity protocols and reinforcing efforts to detect and deter \ncyber attacks and other threats.\n    Perhaps this should be the first of a recurring set of \nhearings to gauge successes and shortfalls across agencies when \nit comes to protecting the vast amount of sensitive information \nheld by the Federal Government. I know Mr. Hurd and Mr. Meadows \nand yourself, Mr. Chairman, intend to do that certainly with \nthe implementation of FITARA, but maybe we need to do it with \ncybersecurity as well.\n    I think we would find most agencies in a similar situation \nto this department, which has made some progress in fortifying \nits information security defenses in recent years but continues \nto struggle with recurring vulnerabilities.\n    In its latest report in the Department's efforts to \nimplement the Federal Information Security Modernization Act, \nFISMA, the inspector general identified 16 findings with 26 \nrecommendations, one-third of which are repeat recommendations, \nDr. Harris. Last year's audit found that the Department did not \nperform adequate remediation of weaknesses identified in \nprevious OIG audit reports. That is very troubling in light of \nthe OPM breach.\n    While it appears the Department has beefed up its \nremediation efforts, there is still obviously much work to be \ndone, and I am confident that unfortunately this is not the \nonly department with these kinds of problems.\n    This year's audit flagged weaknesses across four key areas: \ncontinuous monitoring, configuration management, instant \nresponse and reporting, and remote access management. For \nexample, the IG found user accounts from inside Federal \nemployees and outside Federal contractors with excessive or \nunnecessary permissions and unauthorized access to data. In \nfact, one of the Department's IT service contractors could not \nverify to the IG's satisfaction that its other non-Federal \ncustomers did not have unauthorized access to the Department's \ndata through a shared service, very troubling.\n    Even more troubling, the OIG said it was able not only to \ngain access to the Department's network through a simulated \nattack, but also it was able to launch other attacks on systems \nconnected to the Department while going completely undetected.\n    Another critical finding in the IG's report that applies to \nthe Department of Education, as well as other Federal agencies, \nis that existing information security protocols, if implemented \nand implemented consistently throughout the organization, could \nand should be effective. That is the good news.\n    Nowhere is this more important than in cybersecurity and \nprivacy training for new employees. To be successful here, we \nmust bring about a wholesale cultural revolution so that \nFederal agencies and the workforce understand the critical \nimportance of cyber safety, including basic elements of what \nmay be called cyber hygiene.\n    Along those same lines, we must hold agencies accountable \nfor implementation of the bipartisan FITARA legislation on \nwhich we recently held a hearing and issued a preliminary \nscorecard for agency progress. The chairman has already noted \nthat scorecard for this department. One of the key reforms of \nthat legislation, which I was pleased to co-write with the \nformer chairman of this committee, is enhancing CIO authorities \nto increase transparency and improve risk management to address \nall of these issues.\n    Unfortunately, the Department of Education received an \n``F'' rating on this preliminary assessment based in large part \non its self-reporting of few IT investments, delivering \nfunctionality, and their ability to produce savings. That is a \nsnapshot in time, and we are hoping that it is a work in \nprogress and that the next snapshot will show that progress. I \nlook forward to hearing from Mr. Harris about the steps he is \ntaking to address both FISMA and FITARA challenges.\n    The severity of recent data breaches in both public and \nprivate sectors in recent years underscores the urgency for \nFederal agencies and Congress to get serious about investing in \nIT solutions that better secure our data and taking actions \nthat will be clear deterrents for would-be hackers. This is a \nchallenge that has confounded both Democratic and Republican \nadministrations.\n    The number of IT security incidents reported by Federal \nagencies increased by 1,121 percent from the reporting period \nin the last several years. Unfortunately, these attacks on our \nprivate industries and government simply reflect the new normal \nof the 21st century where nation states represent advanced and \npersistent threats against one another, constantly seeking to \ngain unauthorized access to sensitive and classified \ninformation on each other's people, intellectual property, and \nsensitive security information. The likes of North Korea, \nChina, Russia, and Iran are increasingly testing the waters and \nbecoming emboldened by the lack of reprisal or effective \ndeterrents.\n    The House earlier this year did pass two bills on a \nbipartisan basis to encourage voluntary sharing of information \nbetween the public and private sectors, but information-sharing \nis not enough. We need to get serious about strengthening our \ncyber workforce both within the Federal Government and among \nour private sector partners. We also need to devise more \neffective data breach notification policies so that victims are \naware of the fact they may have been compromised.\n    As my colleagues know, it has now been almost 4 months \nsince the breach on background records was announced, and \nnotifications are still being made.\n    So, Mr. Chairman, I appreciate this opportunity to look at \nwhat the Department of Education is doing right and what it can \nimprove upon with respect to securing data, but obviously, this \ncan't be the only hearing. Successfully detecting, defending, \nand deterring cyber threats will take a concerted effort across \nall agencies and among our private partners. And I thank you, \nMr. Chairman, because this hearing clearly sends a signal this \ncommittee will take that charge seriously.\n    I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We will hold the record open for 5 legislative days for any \nmembers who would like to submit a written statement.\n    And it is now my pleasure to recognize our witnesses. We \nare pleased to welcome Mr. Greg Wilshusen, who currently serves \nas the director of Information Security Issues at the \nGovernment Accountability Office where he leads cybersecurity- \nand privacy-related studies and audits of the Federal \nGovernment and critical infrastructure.\n    We also are joined by Ms. Kathleen Tighe, who serves as the \ninspector general of the United States Department of Education. \nMs. Tighe also chairs the Council of Inspectors General on \nIntegrity and Efficiency, and in 2011 was appointed by \nPresident Obama to the Recovery, Accountability, and \nTransparency Board and the Government Accountability and \nTransparency Board.\n    And we also are joined by Dr. Danny Harris, who currently \nserves as the chief information officer at the United States \nDepartment of Education. Prior to his tenure as CIO, Dr. Harris \nserved as the chief financial officer at the Department of \nEducation where he started his career as a computer analyst.\n    We welcome you all.\n    Pursuant to committee rules, witnesses are to be sworn \nbefore they testify, so if you will please rise and raise your \nright hand.\n    [Witnesses sworn.]\n    Chairman Chaffetz. Thank you. Please be seated, and let the \nrecord reflect that the witnesses all answered in the \naffirmative.\n    We would like some time to be set aside for some robust \ndiscussion, so we would appreciate it if you would limit your \ntestimony to 5 minutes. And obviously your entire written \nstatement will be made part of the record.\n    We will start with Mr. Wilshusen, and he is now recognized \nfor 5 minutes.\n\n                       WITNESS STATEMENTS\n\n                  STATEMENT OF GREG WILSHUSEN\n\n    Mr. Wilshusen. Chairman Chaffetz, Ranking Member Connolly, \nand members of the committee, thank you for the opportunity to \ntestify at today's hearing on information security at the \nDepartment of Education.\n    As requested, my statement will address information \nsecurity of Federal agencies, including Education.\n    Before I begin, if I may, I would like to recognize several \nmembers of my team who were instrumental in developing my \nstatement and performing the work underpinning it. Larry \nCrosland, Assistant Director; and Rosanna Guerrero led this \nbody of work. Lee McCracken and Christopher Businsky also made \nsignificant contributions.\n    Mr. Chairman, for 18 years GAO has designated Federal \ninformation security to be a government-wide high-risk area. In \nFebruary we expanded this area to include protecting the \nprivacy of personally identifiable information. Recent security \nincidents such as the OPM data breaches underscore the \nvulnerability of Federal systems and highlight the evolving and \nsophisticated nature of the cyber threats that confront Federal \nsecurity personnel on a daily basis.\n    Over the last several years, Federal agencies have reported \na sharp increase in the number of information security \nincidents, which have risen from about 5,500 in fiscal year \n2006 to over 67,000 in fiscal year 2014, an increase of \napproximately 1,100 percent. Similarly, the number of incidents \ninvolving personally identifiable information has more than \ndoubled since fiscal year 2009 to over 27,000 in fiscal year \n2014.\n    Given the risks posed by cyber threats and the increasing \nnumber of incidents, it is crucial that Federal agencies take \nappropriate steps to secure their systems and information. \nHowever, we and agency inspectors general have continued to \nidentify significant deficiencies in controls protecting \nFederal information systems. For example, 19 of the 24 agencies \ncovered by the Chief Financial Officers Act reported a \nsignificant deficiency or material weakness in information \nsecurity for financial reporting purposes in fiscal year 2014. \nFor its part, the Department of Education reported a \nsignificant deficiency which is less severe than a material \nweakness but important enough to merit attention by those \ncharged with governance.\n    As we previously reported for fiscal year 2014, nearly each \nof the 24 agencies, including Education, reported weaknesses in \nmost of the five general control categories that we track. Like \n21 other agencies, Education had weaknesses reported in \ncontrols that are intended to prevent, limit, and detect \nunauthorized or inappropriate access to computer networks and \nsensitive information.\n    Similar to most agencies, Education also had weaknesses \nreported in its configuration management of its computing \nsystem, continuity of operation controls, and management of its \ninformation security program. On the plus side, unlike 15 other \nagencies, Education did not have weaknesses reported in its \ncontrols to segregate incompatible duties to--among different \nindividuals.\n    For deficiencies in security controls and the efforts \nrequired to mitigate them, inspectors general at 23 of the 24 \nagencies, including Education, declared information security as \na major management challenge for their agency in fiscal year \n2014.\n    Over the past 6 years, GAO has made about 2,000 \nrecommendations aimed at improving their information security \nprograms and controls. To date, agencies have implemented about \n58 percent of them.\n    Recent actions initiated by the Federal chief information \nofficer such as the 30-day Cybersecurity Sprint and issuance of \na Cybersecurity Strategy and Implementation Plan indicate a new \nlevel of attention by OMB to the security of Federal networks, \nsystems, and data at civilian agencies. Effective and timely \nimplementation of this strategy and the rest of GAO's \nrecommendations, as well as those made by agency IGs, will \nbolster agencies' ability to protect their information systems \nand information.\n    Mr. Chairman, Ranking Member Connolly, members of the \ncommittee, this concludes my opening statement. I'd be happy to \nanswer your questions.\n    [Prepared statement of Mr. Wilshusen follows:]\n    \n    \n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n  \n    \n    \n    Chairman Chaffetz. Thank you.\n    Ms. Tighe, you are now recognized for 5 minutes.\n\n                 STATEMENT OF KATHLEEN S. TIGHE\n\n    Ms. Tighe. Good morning. Thank you, everyone, for inviting \nme here today to discuss the work of the U.S. Department of \nEducation Office of Inspector General involving information \nsecurity and technology security.\n    The explosion of IT has revolutionized the way the world \ndoes business, and the Department is no exception. Virtually \nevery department program relies heavily on information systems. \nEvaluating whether those information systems are secure is a \ntop priority for my office.\n    As noted, the Department reports 184 information systems in \nits inventory, more than 120 of which are operated by \ncontractors or subcontractors, some of which contain sensitive \nfinancial information and PII pertaining to millions of \nstudents, their parents, and others. These systems are accessed \nby thousands of authorized individuals, including department \nemployees, contractor employees, and other third parties such \nas college financial aid administrators.\n    Protecting its complex IT infrastructure from constantly \nchanging cyber threats is an enormous responsibility and \nchallenge for the Department and its Office of Federal Student \nAid. We examine the Department and FSA's information security \ncontrols every year through our FISMA audit and in the annual \naudits of the Department and FSA's financial statements. We \nalso have conducted other IT security-related work.\n    As detailed in our written testimony, our work has \nidentified deficiencies that impact the security of information \nwithin the Department and contractor systems. For example, \nsince 2009, including this year, audits of the Department and \nFSA's financial statements found persistent IT control \ndeficiencies in key financial systems, including personnel \nsecurity, access controls, and others.\n    Since 2011, our FISMA audits have identified weaknesses in \nsecurity control areas, including a number of repeat findings.\n    Although our 2015 FISMA audit found that the Department has \nmade progress and has taken steps to address repeat findings, \nour work determined that more is needed.\n    This year's FISMA audit had two new features. First, the \nOIGs were required to evaluate the effectiveness of their \nagency's security program in the 10 designated FISMA areas for \nthe first time, effectiveness meaning the extent to which \nsecurity controls are implemented correctly, operate as \nintended, and produce the desired outcome.\n    Second, the Council of the Inspectors General on Integrity \nand Efficiency in coordination with OMB and others rolled out \nthe first phase of its new FISMA evaluation metrics called the \nmaturity model, which summarizes the status of information \nsecurity programs and their maturity on a five-level scale with \nfive being the best. The first phase encompasses the FISMA \nsecurity area of continuous monitoring management.\n    Our 2015 FISMA audit found the Department was at level 1 \nfor continuous monitoring management and was not generally \neffective in three additional areas: configuration management, \nincident response and reporting, and remote access management.\n    Notably, our penetration testing this year revealed a key \nweakness regarding the Department's ability to detect \nunauthorized activity inside its computer networks. We \ndetermined that three areas were in fact generally effective--\nrisk management, security training, and contingency planning--\nalthough some improvements were needed.\n    Finally, we found that two areas--plans of actions and \nmilestones and identity access management--would be effective \nif implemented properly, although controls over access to FSA's \nmainframe environment need improvement.\n    Although we did not make a separate conclusion on the \neffectiveness of the Department's program to oversee contractor \nsystems, our review found an issue involving an FSA \nsubcontractor who restricted OIG access to information, which \nleft my office unable to complete a comprehensive vulnerability \nassessment to determine whether the subcontractor's other \ncustomers improperly accessed department data. This is \nparticularly problematic because, based on the information the \nsubcontractor did provide to us, we found accounts with \nexcessive permissions and unauthorized access.\n    The results of our FISMA and other work show that the \nDepartment and FSA must work harder to address existing \nweaknesses so they can be in a better position to identify and \nstop increasingly sophisticated attacks on critical IT \ninfrastructures. My office is committed to helping them do so.\n    Thank you very much. I'm happy to answer questions.\n    [Prepared statement of Ms. Tighe follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Chairman Chaffetz. Thank you.\n    Dr. Harris, you are now recognized for 5 minutes.\n\n                  STATEMENT OF DANNY A. HARRIS\n\n    Mr. Harris. Thank you, Mr. Chairman.\n    Chairman Chaffetz, Representative Connolly, and members of \nthe committee, thank you for the opportunity to appear before \nyou today.\n    As the chief information officer for the Department of \nEducation, I am committed to ensuring we have an effective \ncybersecurity program in place that includes strong controls \nand continuously monitors--we continuously monitor and evaluate \nour posture for opportunities to minimize risk and exposure as \nwe work to improve our current systems and processes.\n    While ED has made significant progress over the last \nseveral years in strengthening the overall cybersecurity \nprogram, we are not satisfied and we have solid plans to \ncontinue to increase the security of ED's systems. Before I \ndive into the specifics of our evolution, I wanted to provide \nbrief organizational context that will assist our discussion \ntoday.\n    ED is organized under one department-level CIO, a role that \nI have served in since 2008. The department-level CIO manages \nall core IT functions, including but not limited to IT \noperations, cybersecurity, enterprise architecture, and IT \ninvestment management.\n    The Federal Student Aid, a performance-based organization, \nalso appoints a separate CIO, which reports to FSA's chief \noperating officer. While the department-level CIO is ultimately \naccountable for the IT portfolio, FSA maintains independent \noperational responsibility for its IT portfolio. The FSA \nenterprise includes major mission systems that support student \nfacing and public services. A few examples include the commonly \nknown Free Application for Federal Student Aid, or FAFSA, and \nStudentAid.gov.\n    During my more than 7 years as the Department's CIO, I've \nworked closely with leadership in FSA to ensure that IT \nmanagement integrates with the Department's IT systems. Since \nfiscal year 2011 when the Department was noncompliant with all \n10 areas of FISMA, steady and consistent progress has been \nmade.\n    For example, the Department established a continuing \nmonitoring program to assess the security state of information \nsystems in the Department's two distinct environments, one \ncalled EDUCATE, which handles all of our infrastructure \nservices, and the other, FSA's Virtual Data Center.\n    OCIO and FSA adopted and implemented automated scanning and \ndetection tools to collect, analyze, and report on security-\nrelated risks, issues, and threats to the Department's systems. \nOther improvements include implementation of a network access \ncontrol, or NAC, which provides device-level authentication and \ndata loss prevention, or DLP, capabilities. This allows for \ncontrol of data flowing in and out of our environment.\n    Additionally, the OCIO moved from managed service provider \nto an in-house security operations center, or what we call a \nSOC, which allows for real-time threat detection and tracking. \nAs a result, it has gained better situational awareness of its \nnetwork environment and is able to respond more rapidly to \nnetwork events.\n    In July 2015 a two-factor authentication solution for \naccessing email remotely from personally owned computers and \nmobile devices replaced the previous user-name-and-password \nauthentication method. The new method meets strong \nauthentication mandates defined by OMB. We have reduced our \nFISMA noncompliance from 10 metric areas to 5 and have solid \nplans of resolving the remaining deficiencies.\n    Most recently, the Department actively worked to address \nthe focus areas of a cyber sprint by completing the review of \nidentification of our high-value assets, completing the \nindicators of compromised network scan, mitigating critical \nvulnerabilities, and reviewing and appropriately restricting \nprivileged user access. OCIO and FSA developed implementation \nplans to increase the issuance of personal identity \nverification or PIV cards to meet requirements of strong \nauthentication. The OCIO completed its implementation this \nSeptember, and FSA's completion is scheduled for this December.\n    OIG's objective for the 2015 FISMA audit changed from a \ncompliance-based auditing approach to a focus on general \neffectiveness of the Department's IT security program and \npractices. OIG found that while the Department has made \nprogress in strengthening its information security program with \n5 of the 10 reporting metrics noted as generally \neffectiveness--effective, weaknesses were still noted in four \nof the five reporting metrics. Specifically, the IG determined \nit was not generally effective in the areas of continuous \nmonitoring, configuration management, incident response and \nreporting, and remote access.\n    In response, we are actively engaged in implementing \nsolutions to address these areas. For example, to meet the \nrequirements of OMB for implementing continuous monitoring by \nfiscal year 2007, the Department has developed an information \nsecurity continuous monitoring implementation plan and is \nactively engaged with DHS to obtain continuous monitoring \nsolutions as part of the task order 2 of the CDM program.\n    Configuration management activities for fiscal year 2016 \ninclude continuing the implementation of our NAC solution, to \nrestrict access for users and devices, strengthen the \nDepartment's patch and vulnerability management program and \nprioritize and update policies and procedures to meet Federal \nconfiguration management requirements. For incident response \nand reporting, the Department is utilizing additional \ncapabilities to identify and block attacks, for example, adding \nweb application firewalls.\n    And finally, to address weaknesses noted in remote access, \nthe Department continues to consolidate and standardize the \nremote access solutions currently in use. This will allow for \nincreased consistency in the implementation of controls across \nthe remaining solutions. FSA continues their implementation of \ntwo-factor authentication requirements to include two-factor \nenablement on their remote connections.\n    Thank you again for the opportunity to testify today and \nprovide you with specifics of our plans. I will be pleased to \nanswer any questions you may have.\n    [Prepared statement of Mr. Harris follows:]\n    \n    \n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n        \n    Chairman Chaffetz. Thank you. I appreciate that.\n    I will now recognize the gentleman from Michigan, Mr. \nWalberg, for 5 minutes.\n    Mr. Walberg. Thank you, Mr. Chairman. Thanks to the panel \nfor being here.\n    Mr. Harris, I appreciate your testimony and the information \nyou have given. As has been mentioned, DMCS supports back-end \nloan collection work for borrowers. As CIO rated DMCS as higher \nrisk on the Federal IT Dashboard since at least September 12, \n2013, due to contracting problems so severe, a cure notice was \neven issued. What do you consider when rating the risk of \ninvestments on the dashboard? Review that for us.\n    Mr. Harris. Thank you for the question. Thank you for the \nquestion.\n    There are a number of factors that I specifically look at \nas the CIO to rate an investment. A lot of it has to do with \nthe project management of that investment. In other words, are \nyou meeting deadlines on deliverables? A lot of it has to do \nsimply with the size of the investment. More times than not, an \ninvestment can be managed properly, but given the size of it, \nwe still consider it high-risk. In a lot of instances we look \nat the kinds of data that that system actually maintains. And \nso not in all instances will you see an investment that is \ndoing well that still won't be perceived as a high risk.\n    Mr. Walberg. Based on that, can you then explain why the \nrisk rating went from yellow to dark red in May of 2014, a \nrating that changed shortly after the House Education and \nWorkforce Committee held a hearing on the problems with DMCS, \nand why has the rating stayed red through May 2015?\n    Mr. Harris. Representative Walberg, I don't have that \ninformation in my head right now, but that's certainly \ninformation I'd love to provide you.\n    Mr. Walberg. It would be great if you could. Any time frame \nthat you could get that to us?\n    Mr. Harris. Certainly within the week, sir.\n    Mr. Walberg. Okay. I appreciate that.\n    On June 30, 2015, DMCS was re-categorized as low risk. Is \nyour testimony today here under oath that these contracting \nissues are fully addressed?\n    Mr. Harris. Again, Representative Walberg, I'd have to look \nat the details of that, and I will get that to you within the \nweek as well.\n    Mr. Walberg. Okay. Pretty significant details. We would \nappreciate that information.\n    Inspector General Tighe, are you confident that all the \nproblems are fixed and contracting with DMCS is okay based on \nyour work?\n    Ms. Tighe. Based on our work, no, I can't say with \nconfidence that everything in DMCS2 is fixed. I mean the \ncontractor Maximus, who is currently operating DMCS2, had a \nnumber of problems it needed to fix when it--the contract began \na year or so ago. I don't think we can say at this point. We \nhave not audited specifically what Maximus has achieved, but I \nwould find it hard to believe that all the fixes are completed.\n    Mr. Walberg. Have you looked at some of the objectives and \nparameters that they are using, and is there any confidence \nthat flows from that?\n    Ms. Tighe. We have not audited the dashboard specifically \nand what goes into it and whether the analysis related to \nDMCS2, as put on the dashboard, is correct or not. We've done a \nnumber of reports related to DMCS2 dating back a few years. As \nyou probably know, it was a material weakness in the financial \nstatement a few years ago. It's gradually--they've tackled the \nproblems and are able to make DMCS2 functional, at least with \nworkarounds, but I--manual workarounds, but I think the new \ncontractor is supposed to be working on making it fully \nfunctional.\n    Mr. Walberg. Okay. Thank you. Mr. Chairman, I yield back.\n    Chairman Chaffetz. I thank the gentleman. I now recognize \nthe gentleman from Virginia, Mr. Connolly, for 5 minutes.\n    Mr. Connolly. I thank the chair.\n    Dr. Harris, I have got to say to you it is not confidence-\nbuilding that you were asked questions by Mr. Walberg involving \nreports that, you know, going from yellow to red now in a high-\nrisk category, and your answer is I have got to get back to \nyou, seemingly unaware of these reports. Is that your \ntestimony? You were not aware of these reports? This is news to \nyou?\n    Mr. Harris. No, Representative Connolly. It's not news to \nme. There are--there's a large number of investments that I \nreview. I want to make sure that I provide you accurate \ninformation.\n    Mr. Connolly. Well, it just seems to me if we are going to \nhave a hearing on this subject and you are the CIO, why not be \nbetter prepared frankly coming before this committee to be able \nto answer questions that certainly you could have, should have \nanticipated.\n    So in that same pleasant vein, can you address the fact \nthat you got the lowest grade possible in the FITARA scorecard? \nUnderstanding it is a work in progress and the intent here is \nnot to put a scarlet letter on one's back, but you really got \nfailing grades in all but one category, and that was a ``D''. I \nwouldn't have gotten into graduate school with that kind of \nscorecard. Please address it.\n    Mr. Harris. Absolutely, sir. I respectfully disagree with \nthe rating. First of all, I am not aware of the source of that \ninformation, but what I can tell you, sir, is that we have a \nsolid plan in place, implementation plan in place for FITARA by \nthis December, and, quite frankly, in multiple meetings with \nOMB they made it very clear to us that our plan was very solid. \nIn fact, many of the requirements of FITARA have already been \nsatisfied by the Department for many, many years. With the \nexception of FSA, currently all IT operations come through the \nCIO, specifically spending, for example.\n    And so I do disagree, respectfully disagree with that \nreport, and I don't know--I haven't found the source of that \ninformation yet. But I think we're very solid on FITARA.\n    Mr. Connolly. Well, I go back to my opening statement. It \nis not a confidence-building measure to have the CIO saying he \ndisagrees with the findings, and you think you are solid with \nFITARA when you got an ``F''. What do you think you should have \ngotten? The highest grade was a ``B'' and only two agencies got \nthat.\n    Mr. Harris. I actually think we should have gotten a ``C'', \nsir, if I can give you an example of what I mean.\n    Mr. Connolly. Sure.\n    Mr. Harris. So take the first measure, for example, when \nyou look at data center consolidation. The Department \ncurrently, to be real honest with you, we don't own any data \ncenters but our contractors do. But that's beside the point. We \nstill report. We have three data centers, three data centers. \nAnd in fact, we will be reducing that to two in fiscal year \n2016.\n    And so it startles me that I see an ``F'' in data centers \nwhen we actually are probably the smallest in the Federal \nspace. And given the amount of data processing we do, I think \nthat's astounding.\n    Mr. Connolly. I will work with you on that because that \nhappens to be one of my bugaboos. And the Federal Government, \nas you know, in our last hearing to my surprise we discovered \n2,000 more data centers. So the fact that we have a Federal \nagency testifying they only have three is music to our ears and \nI will be glad to work with you, Dr. Harris, as I know this \ncommittee will, in trying to clarify that ----\n    Mr. Harris. Thank you.\n    Mr. Connolly.--if that is the case. But let me just say \nthis. I exhort you to do what you can not only in clarifying \nthat grade, but more importantly, the spirit of this is \nimprovement because the object here is to make sure that we \ndon't have the kind of data breach we had at OPM at the \nDepartment of Education. And you have a sacred trust in \nprotecting the data of 50 million Americans or more in your \ncare, and, you know, you want to be making the headline that \nactually your data breach is twice that of, you know, some \nother agency. And, I mean, that is not your only goal. We want \nto see you be more efficient. We want you to see IT as a \nresource and a transformative process.\n    Why are there, Dr. Harris, repeat recommendations coming \nout of OIG that haven't been acted on by your office or by the \nSecretary?\n    Mr. Harris. I concur with the IG, as well as the committee, \nthat repeat findings are always troublesome. There are two \nreasons why we continue to have some repeat findings.\n    The first reason is the resolution to some of the findings \nare quite complex, and they require multiple years to actually \nresolve. An example, our implementation of our NAC and DLP for \nthe talent that we have, we've spent multiple years \nimplementing NAC and DLP. And in fact, we will finish our \nimplementation this year. But it has taken multiple years to \nimplement those very complex systems. And with the full \nimplementation this fiscal year, we will actually resolve 90 \npercent of the repeat findings.\n    Mr. Connolly. And, Ms. Tighe, you would corroborate that?\n    Ms. Tighe. We would corroborate that ----\n    Mr. Connolly. I can't hear you.\n    Ms. Tighe. Yes, it has been--we have observed that the NAC \nsolution has taken a long time to fully implement, and it does \nimpact some of our repeat findings.\n    Mr. Connolly. But you agree with Dr. Harris's statement \nthat by I think you said the end of the year about 90 percent \nof that will be addressed?\n    Ms. Tighe. I don't know if I can agree with that. I mean we \nhaven't audited that conclusion specifically. We'll find out \nwhen we go in next year's FISMA audit.\n    Mr. Connolly. Okay. Thank you. My time is up.\n    Chairman Chaffetz. Will the gentleman yield?\n    Mr. Connolly. Gladly.\n    Chairman Chaffetz. I want to help clarify this database \ncenter issue. You have, best I can tell, 184 information \nsystems, correct?\n    Mr. Harris. That's correct, sir.\n    Chairman Chaffetz. And you have 120 contractors that house \nthat information, correct?\n    Mr. Harris. That is correct, sir.\n    Chairman Chaffetz. So how many data centers do you have?\n    Mr. Harris. We have three data centers that the Department \nof Education maintains. We have--Federal Student Aid has ----\n    Chairman Chaffetz. How many data centers are there housing \nthis information that you are responsible for?\n    Mr. Harris. I don't know, Mr. Chairman.\n    Chairman Chaffetz. Well, there you go. There is the \nproblem. The answer is not three. You are at least 123, and you \ndon't know? Is a contractor not a database to you?\n    Mr. Harris. I'm sorry. Ask the question again, sir.\n    Chairman Chaffetz. If a contractor is housing the \ninformation, is that not a database?\n    Mr. Harris. We do not count that as a data center, sir.\n    Chairman Chaffetz. Why not?\n    Mr. Harris. Based on OMB's guidance on how we count data \ncenters, we don't count that. It--we get that as a service and \nso we don't count it as a data center.\n    Chairman Chaffetz. So you just contract that out; you leave \nit alone? The inspector general can't look at it. You don't \neven consider one of your databases?\n    Mr. Harris. We don't, sir.\n    Mr. Connolly. So ----\n    Chairman Chaffetz. There is the problem, Mr. Connolly.\n    Mr. Connolly.--Mr. Chairman, could I just ----\n    Chairman Chaffetz. Sure. Go ahead.\n    Mr. Connolly. So your philosophy is that a data is \ncompromised through a contractor, that is their problem, not \nyour problem?\n    Mr. Harris. That is not correct.\n    Mr. Connolly. Well, you can't have it both ways. Either you \ntake responsibility for a data center irrespective of where it \nis located or you don't. It is under your charge. That is the \npoint I think the chairman is making.\n    Chairman Chaffetz. You are paying for it. We are paying for \nit. Taxpayers are paying for it.\n    Mr. Connolly. I mean, fair enough, you don't count it. This \nisn't a bureaucratic, you know, checklist process. What we are \nconcerned about it efficiency, reliability, and security, and \nif you have got hundreds or thousands of data centers under the \ncare of contractors, okay, OMB may not count that as \ntechnically a Department of Education data center, but it is \nstill in your charge. And our concern here isn't to consolidate \nfor the sake of consolidation so we feel better. It is because \nwe believe it is inefficient to have a multiplicity of data \ncenters. In fact, we know it is. And we need cooperation from \nevery agency, irrespective of where they are located.\n    I yield back, Mr. Chairman.\n    Chairman Chaffetz. And as a concluding point, I hope we \ncould jointly ask that the GAO look at this issue of data \ncenters at the Department of Education.\n    Mr. Wilshusen. I would happy to work with your staff to do \nthat.\n    Chairman Chaffetz. Thank you.\n    I now recognize the gentleman from North Carolina, Mr. \nMeadows, for 5 minutes.\n    Mr. Meadows. Thank you, Mr. Chairman. And I thank the \nranking member for his insightful questions as it relates to \nthese data centers. I have worked with him in a very close way, \nin a bipartisan way, and so I find it just very interesting \nthat your testimony here this morning would be that you have \nthree data centers when the GAO would not agree with that. So \nyou are disagreeing with the GAO on their definition, is that \ncorrect?\n    Mr. Harris. If GAO is suggesting that we have more--the \nDepartment has more than three data centers, yes, sir, I am \ndisagreeing.\n    Mr. Meadows. All right. So here is my concern, Dr. Harris. \nYou know, the headline should read Department of Education Gets \nan ``F''. Now, that is not good when we are talking about \neducation, but what is even more troubling is the definition of \na data center has been made very clear to me, and I am not a \nCIO. GAO has been very clear on what they view a data center to \nbe, and under your definition, under your definition, everybody \ncould get rid of every single data center by subcontracting out \nthe service. Do you follow the logic there?\n    Mr. Harris. I do, sir.\n    Mr. Meadows. So are you suggesting that you will go to zero \nand get an ``A'' on that dashboard just by subcontracting all \nyour data centers out to someone else?\n    Mr. Harris. No, sir, I do not.\n    Mr. Meadows. Okay. Well, then explain the disconnect to me. \nWhy is your testimony three if indeed you are subcontracting \nout those services?\n    Mr. Harris. So when OMB does a data call and they give us \nguidance for how we report ----\n    Mr. Meadows. I am talking about GAO ----\n    Mr. Harris. I'm sorry.\n    Mr. Meadows.--all right, the dashboard. They are going to \nbe the ones that help define this with FITARA and everything \nelse, and we're going to have you back in here on a hearing. So \nwith their definition, how do you think you can consolidate \nsome of those data centers that are subcontracted right now? So \ndo you have 120 subcontracted data centers?\n    Mr. Harris. Sir, the only way to consolidate those is to \nactually consolidate contracts.\n    Mr. Meadows. Exactly. Thank you, Dr. Harris. And so are you \ngoing to consolidate contracts?\n    Mr. Harris. We're certainly willing to take a look at that.\n    Mr. Meadows. Okay. Would I suggest that you do that, \nbecause if not, you are going to continue to get an ``F'' when \nit comes to data consolidation. The risk is spread across 120 \nsubcontractors. Would you agree with that?\n    Mr. Harris. Yes, sir.\n    Mr. Meadows. Okay. And, Ms. Tighe, were you able to \ninfiltrate their system? I noticed the notes from the fiscal \nyear 2015 indicated that you were able to penetrate the EDUCATE \nsystem. Were you able to do that?\n    Ms. Tighe. Yes. During our penetration testing for our--the \nFISMA audit this year, we were able to gain access--full access \nto the EDUCATE system, which is the general support system that \nhouses a number of the Department's systems, undetected by \neither the contractor for EDUCATE--Dell--or the CIO's office.\n    Mr. Meadows. So you are saying Dr. Harris didn't know that \nyou were there?\n    Ms. Tighe. Correct.\n    Mr. Meadows. So, Dr. Harris, how do you explain--I mean are \nyou willing to stake your reputation and your job on the fact \nthat the system is secure?\n    Mr. Harris. I am today, sir, with full ----\n    Mr. Meadows. So if there is a breach from this point \nforward, you are willing to resign?\n    Mr. Harris. No, sir, I did not say that.\n    Mr. Meadows. Okay. Well, I said your reputation and your \njob.\n    Mr. Harris. I certainly will stake my reputation, given \nwhere we are today. Our full implementation of NAC and DLP, for \nexample ----\n    Mr. Meadows. So how confident on a scale of 1 to 10 with 10 \nbeing the highest are you that we will not have some kind of a \nbreach? Ms. Tighe was able to get in. I have got hackers I \ncould probably hire to get in there today. Wouldn't you agree \nwith that?\n    Mr. Harris. As of today, sir, I would rank it a 7.\n    Mr. Meadows. A 7?\n    Mr. Harris. Yes.\n    Mr. Meadows. So when ----\n    Mr. Harris. We're making great progress but I would rank it \na 7.\n    Mr. Meadows. Okay. Now, is this a 7 on the same scale that \nyou just gave yourself a ``C'' where FITARA gave you--the \ndashboard gave you an ``F''?\n    Mr. Harris. That is correct, sir.\n    Mr. Meadows. All right. So this is the grading according to \nDr. Harris?\n    Mr. Harris. I just believe we've made a tremendous amount \nof progress ----\n    Mr. Meadows. Okay. So what do we tell the 125 million \npeople that have their personal identification numbers \npotentially at risk when you say that it was a 7, you have \nstaked your reputation on it, and yet we have a breach like we \nhad at OPM? Are you confident that we are not going to have \nthat?\n    Mr. Harris. I have strong confidence, sir, and may I tell \nyou why? Even prior to the cyber sprint where two-factor \nauthentication required level of assurance 4, long before that, \nwe had two-factor authentication at LOA 3, not as strong as 4 \nbut ----\n    Mr. Meadows. But on two-factor authentication, you went \ndown--it has already been testified you went down. You went the \nopposite way on our 30-day testing period on, you know, the \ntwo-person authentication. So you may have had it but you \nweren't using it.\n    Mr. Harris. Might I explain?\n    Mr. Meadows. Sure.\n    Mr. Harris. Interestingly enough, two things happened \nduring the cyber sprint. The definition of privileged users \nchanged, and the LOA, the level of assurance, changed. Take a \nlook at the privileged users. The definition went from a \ntechnical, hardcore access to technical information to anyone \nwho had access to PII. As a result of that, we voluntarily \nchanged our number to significantly increase the number of \nprivileged users that we were reporting, which dropped our \npercentage.\n    Mr. Meadows. All right. I appreciate the chair's \nindulgence. Thank you for your answer. I will yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    I will now recognize the gentlewoman from New York, Mrs. \nMaloney, 5 minutes.\n    Mrs. Maloney. Mr. Chairman, thank you.\n    There have been a number of significant data breaches over \nthe past year that have jeopardized the personal and financial \ninformation of millions of Americans. Anthem, Premera Blue \nCross, the Office of Personnel Management, and most recently, \nExperian all suffered breaches in which hackers were able to \nsteal the personal information of millions of individuals.\n    Mr. Harris, we are not here today talking about that kind \nof massive data breach that has actually happened at the \nDepartment of Education, correct?\n    Mr. Harris. That is correct.\n    Mrs. Maloney. Okay. The Department of Education systems do \ncontain large volumes of sensitive information, however, \nincluding personnel records, financial information on students \nand borrowers that would be attractive to cyber thieves. \nTherefore, it is an important part of our oversight to ensure \nthat these systems are adequately protected.\n    Ms. Tighe, according to the 2015 audit your office issued \nlast Friday, ``the Department and FSA made progress in \nstrengthening its information security systems.'' What are the \nareas where you have seen the Department make the most \nprogress?\n    Ms. Tighe. Some of the areas include--they've done a good \njob on password controls for system users. They've done a \nbetter job--a much better job of--once incidents are found, of \nreporting them up through US-CERT and addressing those issues. \nAnd another area, because we noted in our fiscal year 2014 \nreport, our last year's FISMA report, that there were problems \nin CIO's office with the fact that they would say they've \nimplemented corrective action, but we would go in the next year \nand continue to find the same problem even though they said \nthat they did it. They've now implemented a much better process \nfor dealing with corrective action, and so we've been very \npleased to see them actually resolve some issues.\n    Mrs. Maloney. Okay. And in your 2015 audit you did identify \nseveral weaknesses in the Department's information security \nsystem. With respect to those weaknesses, your report states, \n``we found that the Department was not generally effective in \nfour security areas: continuous monitoring, configuration \nmanagement, incident response and reporting, and remote access \nmanagement.''\n    Mr. Harris, as the Department's CIO, do you agree with the \nIG's assessment that the Department needs improvement in the \nfour security areas I just read?\n    Mr. Harris. Yes, Representative Maloney, I do concur.\n    Mrs. Maloney. Okay. Are there any areas in which you \ndisagree with the IG's assessment about the Department's \nweaknesses in IT security, and if so, what are they?\n    Mr. Harris. No, Representative Maloney, I do not.\n    Mrs. Maloney. You do not. Okay. In addition to reporting on \nweaknesses the IG found in the Department's IT security, the \nreport makes 26 recommendations for improving the effectiveness \nof the information security programs. Mr. Harris, do you have a \ntimeline for implementing the IG's recommendations?\n    Mr. Harris. Our plan is to resolve all of those \nrecommendations in fiscal year 2016.\n    Mrs. Maloney. And when will you have all the \nrecommendations implemented, all of them by the end of 2016?\n    Mr. Harris. That is correct.\n    Mrs. Maloney. Okay. Do you have all the tools you need to \nmake the improvements the IG recommended?\n    Mr. Harris. It is a very, very aggressive plan and \nstrategy, but that is surely our intent. If we have to move \nresources from one place to another, it is certainly our intent \nto do so.\n    Mrs. Maloney. Well, I want to thank you. Given the large \namounts of sensitive and confidential information the \nDepartment retains, it is imperative that it move as quickly as \npossible to correct the weaknesses the IG has reported in her \nreport.\n    Okay. Thank you.\n    Chairman Chaffetz. I thank the gentleman.\n    I will now recognize the gentleman from North Carolina, Mr. \nWalker, for 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    The inspector general found that the Department's remote \naccess management program was not generally effective because \nit did not enforce its network timeout requirement or, more \nsignificantly, use the two-factor authentication for two of its \nnetwork connections.\n    The failure of the Department to enforce the two-factor \nauthentication requirement for remote access users opens it up \nto the same style of cyber attacks that were used against OPM.\n    Ms. Tighe, let me start with you if I could please. Can you \nelaborate on how the Department's failure to enforce timeout \nrequirements in the two-factor process for this remote access \nopens up the Department of Education to the same attacks \npotentially that we saw used against the OPM?\n    Ms. Tighe. Well, yes. The problem that we identified this \nyear, we had gone out and asked for the inventory--and this was \nto the Federal Student Aid organization--what your inventory of \nremote access devices. They identified four. We did penetration \ntesting, found two more that they didn't even know about, and \nthose two did not have two-factor authentication.\n    So they have now, we understand--have put two-factor \nauthentication on those two additional remote access points, \nbut we still have, I believe a couple of outstanding \nrecommendations related to remote access. And if you do not \nhave proper controls obviously on remote access, then you do \nopen up the Department to attacks from the outside.\n    Mr. Walker. Sure. And I am sure you guys are taking the \nprecaution, you are looking at these two adjustments, \nmodifications, or things that we can include to prevent maybe \nsome more of the cyber attacks. Is that fair to say?\n    Ms. Tighe. Yes.\n    Mr. Walker. Okay. Dr. Harris, what is the Department of \nEducation--what are your actions and doing to solve this \nproblem? Are you guys doing anything specific to making sure--\nyou know, if I remember correctly, the OPM Director Archuleta \nended up having to resign because the breach was so intensive. \nWe don't want the same kind of thing here in the Department of \nEducation. Can you tell me what actions, steps you guys are \ntaking?\n    Mr. Harris. Absolutely, Representative Walker.\n    So for the two incidents you just mentioned, I concur with \nthe IG. We have since resolved both of those. The incident not \npassing the buck, I don't have operational responsibility for, \nbut at the end of the day I am accountable and responsible for. \nAnd so we have made sure that we continue to harden our two-\nfactor authentication.\n    And what's really critical is we are looking at least \nprivileged. It's not just a matter of managing your privileged \nusers but making sure they have the minimum privileges that \nthey need. So we're doing both of those.\n    Mr. Walker. Would you mind dialing it down just a little \nbit more specific? When you say you are doing both of those, is \nthere a specific date of implementation? Or how exactly are you \ndoing these things to make sure that it is safer?\n    Mr. Harris. Yes. On the education side we've already \ncompleted 100 percent two-factor authentication, LOA 4, the \nstrongest. And on the FSA side of the house, the--their \ncompletion date is December of this year.\n    Mr. Walker. Okay. Thank you for your answers.\n    With that, Mr. Chairman, I yield back the balance of my \ntime.\n    Chairman Chaffetz. I thank the gentleman.\n    I will now recognize the gentleman from Georgia, Mr. Hice, \nfor 5 minutes.\n    Mr. Hice. Thank you, Mr. Chairman. And thank each of you \nfor being here and testifying.\n    I would like to begin, Ms. Tighe, with you. According to \nthe 2015 audit, as has already been brought up a couple of \ntimes here this morning, there were six repeat findings and 10 \nrepeat recommendations. That, of course, I think, raises a red \nflag for a lot of people as to why these things are not being \naddressed. So from your perspective, what is the issue? Is it \nan inability--are they unable to take care of these issues, or \nis it a matter more of an unwillingness to do so?\n    Ms. Tighe. Well, I think there's a lot going on here. \nThere's no one particular reason. I mean some is, as Dr. Harris \ntestified, the fact that sometimes solutions are--can't happen \nshort term. They are sometimes long term. Sometimes we raise \nissues on particular systems, and they may achieve a solution \nto that particular problem, but what they don't then do is say, \nhey, maybe we have the same problem on other systems. So we go \nback in the next year because we kind of rotate through our \nwork looking at different systems because we can't look at 184 \nevery year, right, so--and sometimes we get to the next year \nand we see the same problem we identified on this system on \nanother system, which is what, you know, gets frustrating for \nus.\n    Mr. Hice. So you would put the blame on this systems rather \nthan ----\n    Ms. Tighe. Well ----\n    Mr. Hice.--an inability or an unwillingness to address the \n----\n    Ms. Tighe. Well, I think there needs to be a couple of \nthings. I think attention needs to be paid to our \nrecommendations and priority given to them. I think sometimes \nlong-term solutions can seem to happen--be longer than maybe \nthey need to be. And also I think that when we make a \nrecommendation pertaining to one system, it would be good to \nstep back and think--for the Department to step back and think, \nhey, is this same problem happening on other systems.\n    Mr. Hice. Okay. Thank you.\n    Dr. Harris, it appears to me that we're utilizing outdated \ntechnology, and I think you have acknowledged that as well. In \nfact, it appears from what I've read there's 962 operating \nsystems that are no longer supported by vendors. That's \ninexcusable. The vulnerabilities can't even be spoken of. I \nmean we can't even fathom the kind of vulnerabilities when \nyou're utilizing technology that's not even supported any \nlonger, and yet you said you feel you'd give yourself a 7 out \nof 10 that we're currently--how in the world can you give \nyourself a 7 out of 10 when we're using technology that's not \neven supported?\n    Mr. Harris. Representative Hice, I would concur with you \nthat it is kind of ridiculous that we're using this old \ntechnology. The 7 that I give us is the remediation that we \nhave in place and the tools we have to actually protect those \noutdated systems while we work hard to catch up. So on the one \nhand you're absolutely right. There are vulnerabilities on that \nside, but the remediation is on the side of the tools that we \nhave in place as we modernize.\n    Mr. Hice. Why is the Department using that old technology?\n    Mr. Harris. A lot of it has ----\n    Mr. Hice. Why doesn't it catch up with the times?\n    Mr. Harris. Sorry, sir. A lot of it has to do with the \nsystem owners and the applications--application owner's ability \nto keep up with the operating system. In some cases, you have \nto make a decision do you shut down a mission-critical \napplication that provides services to the public, or do you \nmitigate the risk? And more times than not we mitigate the risk \nwhile we're trying to modernize.\n    Mr. Hice. All right. So how long is it going to take to \nmodernize?\n    Mr. Harris. I don't have an answer to that, sir, across the \nentire platform, but I can tell you that we are working hard to \ndo that modernization.\n    Mr. Hice. All right. So we are going to continue to have \nvulnerabilities for an indefinite period of time?\n    Mr. Harris. I think we will, sir. And I think what we have \nto do is work hard to make sure that we have tools in place \nthat mitigates that risk.\n    Mr. Hice. Okay. ``Work hard'' sounds fine, Dr. Harris, but \nwhat does that mean? When can we expect the system to be \nsecure? We have tens of millions of people whose lives and \npersonal information is at a potential high risk as it relates \nto vulnerability, and your answer is we are going to work hard. \nWhen is the vulnerability going to be removed?\n    Mr. Harris. And, Representative Hice, I would say that we \nare reasonably secure now. I'm not suggesting that we're not \nsecure, but we do need to strengthen. That's very important. \nI'm not going to suggest that we don't have a tremendous amount \nof work to do. But I want--don't want the general public to \nthink that we are not secure.\n    Mr. Hice. There again, ``reasonably'' is not a very secure \nanswer. We have got a lot of people whose lives and personal \ninformation is potentially hanging in the balance. And this is \nan issue, Mr. Chairman, that hits every district in this \ncountry. And my time is expired but I thank the chairman for \nthis and I yield back.\n    Chairman Chaffetz. I thank the gentleman. I will now \nrecognize the gentlewoman from Illinois, Ms. Kelly, for 5 \nminutes.\n    Ms. Kelly. Thank you, Mr. Chairman.\n    Ms. Tighe, your office identified key weaknesses in the \nability of the Department and its contractor Dell to detect and \nprevent unauthorized access. Can you tell us what your testers \nwere able to do during the vulnerability assessment testing of \nsome of the Department's IT environments?\n    Ms. Tighe. Yes. We were able to--during the penetration \ntesting, we were able to gain access--or full access to the \ncomplete EDUCATE environment. And EDUCATE, you have to \nunderstand, is a--sort of a general support system that houses \na number of the Department's systems. So we were able to \ncompletely access that and went undetected by either the \nDepartment's contractor or the Department.\n    Ms. Kelly. Thank you. The FISMA audit report explains that \nthe Department's defenses did not detect or terminate the \nunauthorized access and remained on the network for hours. What \nkind of risks are the Department's systems exposed to by these \nweaknesses in detection and prevention of unauthorized access?\n    Ms. Tighe. Well, I think the risks would certainly be \naccess to the Department's data. We could have really done \nanything in there. So the fact that we were able to gain access \nmeans that outsiders who have bad intentions are able also to \ncome back through the same way we did and gain access. And that \nreally puts the Department systems and data and employees and \neverybody who deals with--is involved in our system is at risk.\n    Ms. Kelly. All right. Mr. Wilshusen, do you know whether \nthis kind of undetected, unauthorized access is characteristic \nof some of the major data breaches that have occurred in the \npublic and private sectors?\n    Mr. Wilshusen. Yes, I think it is actually. Indeed, just \nfor example like with the OPM breach, that occurred for a \nnumber of months before it was actually detected. And so I \nthink that's often one of the hallmarks of these very \nsuccessful attacks is that they do go undetected. They exploit \nknown vulnerabilities and systems and then go undetected.\n    Ms. Kelly. The OIG recommended that the Department ensures \nits intrusion detection and prevention system and technical \nsecurity architecture are property configured to restrict and \neliminate unauthorized access. Mr. Harris, the Department \nconcurs with this recommendation, correct?\n    Mr. Harris. Yes, we do.\n    Ms. Kelly. What is the status of the Department's plan, \ncorrective actions, and when do you expect them to be \ncompleted?\n    Mr. Harris. So I'm pleased to announce that, with the \nimplementation of our--a NAC system, it allows us to do three \nthings. It allows us to look at all--look and touch all of our \nassets, it allows us to see the configuration on those assets, \nand it allows us to manage the vulnerability on those assets. \nFiscal year 2016 we plan for a full implementation. It is in \nplace now and we can monitor. The full implementation will \nallow us to actually block anonymous behavior.\n    Ms. Kelly. Is this fiscal year 2016 January or March? \nAround when in fiscal year 2016?\n    Mr. Harris. The third quarter is what we're looking at.\n    Ms. Kelly. Okay. Thank you. Ms. Tighe, you said in your \ntestimony that the Department was effecting in ensuring proper \nincident response and reporting once incidents were reported. \nCan you describe what steps the Department has taken to ensure \nit effectively responds to incidents?\n    Ms. Tighe. Yes, they have--and I would defer to Dr. Harris \non this if he has more to add--but I know that they have a SOC, \na security operation center, up and running, and that's given \nthem capabilities they never had before in terms of incident \nreporting and response.\n    Ms. Kelly. Dr. Harris, did you want to add anything?\n    Mr. Harris. Yes, I would. We have an incident response \nprocess that follows both OMB and NIST guidelines, and we also \nhave a very strong and well-documented PIRT process, basically \na privacy incidence response team that goes into action when we \nhave breaches.\n    Ms. Kelly. Okay. And you discussed in your testimony the \nrole of the Department of Homeland Security has in helping the \nDepartment identify risks. Can you expand upon that? How do \nthose programs help supplement your efforts?\n    Mr. Harris. Sure. I talk about it in very--I'm very \nenthusiastic about the progress the Department has made over \nthe last 3 years. A lot of it has to do with the shared \nservices that DHS provides to us, specifically with CDM task \norder 2 where we will expand our sensors, we will also lower \nthe cost of licensing, and more than anything else, we will \nhave access to dashboards that actually allow us in real time \nto look at vulnerabilities. That's what we're missing right \nnow.\n    Ms. Kelly. Okay. Well, thank you, and I look forward to \nseeing further progress from all agencies in detecting and \nresponding to incidents. Thank you, and I yield back.\n    Chairman Chaffetz. I thank the gentlewoman.\n    I will now recognize the chairman of the Subcommittee on IT \nfor our Oversight and Government Reform Committee, the \ngentleman from Texas, Mr. Hurd.\n    Mr. Hurd. Thank you, Mr. Chairman.\n    I want to start off with a simple question, and this is to \nyou, Ms. Tighe. When you conduct your penetration testing or \ntechnical vulnerability assessment, who decides when that \nhappens? Can the Department come and say, listen, this is a \ntool we would like to use? Can you do this? Or is this \nsomething that you do independently?\n    Ms. Tighe. We do it independently.\n    Mr. Hurd. And is that the same across most agencies?\n    Ms. Tighe. I think that's the same with most IGs who do \npenetration testing. I'm not sure everybody does.\n    Mr. Hurd. And how often do you plan on doing penetration \ntesting?\n    Ms. Tighe. We do it every year as part of our FISMA audit.\n    Mr. Hurd. Okay. Because that is an industry best practice, \nand it is a good thing that this is going on. The information \nyou glean is important for Dr. Harris and his team.\n    Dr. Harris, the remaining of my questions are for you. And \nI am going to read your statements. And I usually like to dig \ninto the weeds at these hearings, but there is a lot of big-\nrock strategic issues that have come out here today. In your \ntestimony you say ``the department-level CIO''--that is you--\n``manages all core IT functions, including but not limited to \nIT operations, cybersecurity, enterprise architecture, and IT \ninvestment management.'' You further add that ``the Office of \nFederal Student Aid (FSA) appoints a separate CIO.''\n    Now, you are saying that you are responsible for all IT \ndepartment activities but you don't have control over all the \nactivities within the Department of Education. Would that be a \ntrue statement?\n    Mr. Harris. That is correct, Representative Hurd.\n    Mr. Hurd. Does that make sense?\n    Mr. Harris. I believe that FITARA will strengthen my \nability and authority to actually provide more guidance and \noversight, and if you want to use the word control over \noperations. Right now, that is a challenge.\n    Mr. Hurd. So there are two people missing here today to be \nfrank. Number one is the agency head, right? And I know Arne \nDuncan has announced his retirement and John King will be \ntaking over as acting duties and I think through the rest of \nthis administration because ultimately, the buck stops there. \nBut we are also missing the CIO of FSA participating in this \nconversation because it doesn't make any sense.\n    And we go back to the issue of data centers. Department of \nEducation is ultimately responsible for all the data centers \nthat hold information for these kids that are applying for \nFederal aid. So saying that we have three is being \ndisingenuous, right? And my question is, you know, when we have \nthese issues, who is remediating these vulnerabilities, \nespecially when it comes to FSA? Are you responsible for it? Is \nthe CIO of FSA responsible for it? Who is ultimately supposed \nto be held accountable for these issues?\n    And you talk about NAC's implementation. Is this going to \ninclude all the subcontractors or is this just Department of \nEducation employees that have that on their badge, not \nnecessarily all the subcontractors that work for you?\n    Mr. Harris. Currently, it's just the Department of \nEducation, the latter.\n    Mr. Hurd. Does that make sense?\n    Mr. Harris. No, sir, it does not.\n    Mr. Hurd. So IG reports show that since 2011 there was no \nmechanism to restrict the use of unauthorized devices on the \nnetwork. Having the ability to find devices on your network, \ndoes it really take 4 years to figure that out?\n    Mr. Harris. With the talent we had, sir, it took us that \nlong ----\n    Mr. Hurd. So you are saying ----\n    Mr. Harris.--and in the last 3 years we've made a \ntremendous amount of progress.\n    Mr. Hurd. Well, that is not very encouraging. I am hoping \nwe have increased the talent in order to do that because, Ms. \nTighe, would you have any opinions on how long it would take to \nimplement one of these systems?\n    Ms. Tighe. Well, I would hope it would be done sooner but \n----\n    Mr. Hurd. Well, I know ----\n    Ms. Tighe.--I--you know, but I would point out that this \nyear's report also highlighted this again as an issue. So to \nthe extent that ----\n    Mr. Hurd. Great. So, Mr. Harris, how many users do you have \nin the Department of Education?\n    Mr. Harris. Approximately 6,000, sir.\n    Mr. Hurd. Okay. And does that include subcontractors?\n    Mr. Harris. That is correct, sir.\n    Mr. Hurd. So 6,000, just 6,000?\n    Mr. Harris. Yes, sir.\n    Mr. Hurd. Six thousand is not a lot. All right. And I would \nhope you would share with your CIOs and agency heads--\ngenerally, when I ask questions at these hearings, I know the \nanswer because I used to do this for a living, right? And to \nimplement controls on 6,000 users should not take 4 years. I \nliterally thought you were going to say 60,000 or 600,000 \nusers, right? This is completely unacceptable. So who are some \nof the vendors--so there are 120 contractors? Is that right, \nChairman? Or do you know the answer? How many other \nsubcontractors do you have?\n    Mr. Harris. Now, the 6,000 includes just the individuals \nusing the Department's data centers. It does not include the \nusers or the subcontracts outside of the VDC and the ----\n    Mr. Hurd. So why are these subcontractors not under your \npurview in your responsibility, in your operational control?\n    Mr. Harris. Well, because, for the most part, FSA has \ncontractual arrangements with them. They don't operate their \ndata centers.\n    Mr. Hurd. So why does FSA not--so does Arne Duncan have \ncontrol over FSA? Does Arne Duncan tell FSA do this and FSA \ndoes that?\n    Mr. Harris. I can't answer that, sir. I'd like to get back \nto you ----\n    Mr. Hurd. So the CIO of FSA, can you tell that person what \nto do?\n    Mr. Harris. I cannot, sir. That person reports to the COO \nof FSA. I provide ----\n    Mr. Hurd. And who does ----\n    Mr. Harris.--direction and guidance.\n    Mr. Hurd. And do you know who the COO of FSA reports to?\n    Mr. Harris. Yes, the Secretary.\n    Mr. Hurd. Interesting. I don't even know where to continue. \nI see my time has expired. But this is the kind of issue that \nthe American people are completely frustrated with. You know, \nthis is not a bureaucratic exercise, as my friend from Virginia \npointed out. And saying that Department of Education has a \ncertain level--but you are responsible for all these others, \nand if you don't have the authority or the power to do that, \nthen you know what, we are here to give you that authority \nbecause we want to hold you accountable. But we want to make \nsure you have all the tools at your disposal to do these \nthings. But it is unacceptable to say 6,000 people. I could \nprobably do that over the weekend. This is completely \nunacceptable. And I look forward to the hearing tomorrow.\n    I am sorry, Mr. Chairman, for going over my time. I yield \nback.\n    Chairman Chaffetz. Thank you. I now recognize myself. To \nthe gentleman from Texas, I would say that I believe we have \njust in the National Student Loan database 97,000 accounts, \n97,000, a little higher than the 6,000. I think you have struck \nthe heart of what is the problem because--one of the problems.\n    Under the E-Government Act of 2002 and certainly under \nFITARA, you are supposed to not only have the responsibility \nbut the authority, and I think the gentleman is right. \nSecretary Duncan needs to answer this.\n    And my question, how often do you meet with Secretary \nDuncan?\n    Mr. Harris. On a monthly basis, sir, and ----\n    Chairman Chaffetz. So ----\n    Mr. Harris.--I meet with the deputy secretary weekly.\n    Chairman Chaffetz. So to the gentleman from Texas, I would \nsuggest here they are managing more than $1 trillion in assets, \nliability for the United States. It is basically the size of \nCitibank, and the CIO meets with the Secretary maybe 12 times a \nyear, right, once a month?\n    Mr. Harris. That is correct, sir.\n    Chairman Chaffetz. I mean that is absolutely stunning. And \nlooking at the vulnerability of almost half of the population \nof the United States of America has their personal information \nsitting in this database, which is not secure by any standard, \nany scorecard. It is not secure. A trillion dollars, half of \nall America, and the Secretary of Education, once a month. How \nlong do you meet with him for when you have it? When is the \nlast meeting you had with him?\n    Mr. Harris. About 3 weeks ago, sir.\n    Chairman Chaffetz. How long did you meet with him?\n    Mr. Harris. For an hour-and-a-half.\n    Chairman Chaffetz. Yes. Is it a budget problem? What is \nyour budget? How much money do you have?\n    Mr. Harris. We spend approximately $550 million a year, and \nabout $32 million of that is for IT security.\n    Chairman Chaffetz. How much is for IT security?\n    Mr. Harris. Thirty-two million.\n    Chairman Chaffetz. But ----\n    Mr. Harris. However, there's a large percentage of embedded \ncosts for our contractors that would significantly increase \nthat number ----\n    Chairman Chaffetz. And we will have to work this out with \nyou. My understanding is you spend $683 million on IT at the \nDepartment of Education, but do you need more money or do you \nhave enough money?\n    Mr. Harris. Certainly, we could always use more.\n    Chairman Chaffetz. Everybody always says that.\n    Mr. Harris. Sir ----\n    Chairman Chaffetz. Everybody always says that, okay?\n    Mr. Harris. Certainly.\n    Chairman Chaffetz. So ----\n    Mr. Harris. But I would say, sir, that ----\n    Mr. Connolly. For God's sake ----\n    Mr. Harris.--cybersecurity talent ----\n    Mr. Connolly.--say yes, Dr. Harris.\n    Mr. Harris. I would say that my biggest challenge is \ncybersecurity talent even more than money. If you told me to \ntake a choice between the first or the second, I would say you \ncan give me all the money in the world but if the Federal space \ncan't obtain and retain the cyber talent, we are in big \ntrouble.\n    Chairman Chaffetz. No, I absolutely agree with you, and it \nis something I think this committee needs to look at is the pay \nauthority to perhaps even pay the IT specialists more in such a \ncritical vulnerable situation and the ability in the \nmarketplace to actually attract and retain people. I would \nagree with you.\n    Does the Department implement the Department of Homeland \nSecurity Continuous Diagnostic and Mitigation system, and do \nyou have the EINSTEIN intrusion detection program thoroughly \nand completely integrated into all of your IT systems?\n    Mr. Harris. We do, sir. In fact, the Department of \nEducation was one of the first to implement EINSTEIN 1, \nEINSTEIN 2. We're now working with DHS to implement EINSTEIN 3. \nAnd, yes, we do participate in CDM task order 2 specifically.\n    Chairman Chaffetz. Does that include the contractors and \nsubcontractors or ----\n    Mr. Harris. It includes those that run our data center. But \nit doesn't include some of the partners that FSA has.\n    Chairman Chaffetz. Okay. So who doesn't it include?\n    Mr. Harris. It doesn't include, again, some of the 100 ----\n    Chairman Chaffetz. So if you have 120 contractors ----\n    Mr. Harris. It doesn't include some of them. I would have \nto get you specific information on, okay, if each one is ----\n    Chairman Chaffetz. If you can follow up with us ----\n    Mr. Harris. Absolutely, sir.\n    Chairman Chaffetz.--and the IG and GAO, that would be \ngreat.\n    Mr. Harris, have you had an intrusion?\n    Mr. Harris. I'm sorry, sir. Say that again.\n    Chairman Chaffetz. Have you had an intrusion? Have you had \na data breach?\n    Mr. Harris. We have had both incidents and data breaches. \nSpecifically, in 2015 we had 91 breaches and we had 200--about \n250 incidents. We have not in the history of the Department--to \nmy knowledge we have not had a major incident. And so all of \nthem fall into the minor category.\n    And if I might give you an example of one?\n    Chairman Chaffetz. What was the most significant one?\n    Mr. Harris. I would say, sir, that the most significant one \nwas in 2012 when, in the FAFSA system for a matter of minutes \nas a result of a--an application glitch, users were able to see \nother users' PII. And again, it was several minutes, but that's \npretty critical.\n    Chairman Chaffetz. Did you report that to the inspector \ngeneral?\n    Mr. Harris. I'm sure we did, sir.\n    Chairman Chaffetz. In the past year are you aware of any \nforeign, national, state, or other adversary penetrating the \nnetwork? Did any of those data breaches and incidents happen in \nthe last year?\n    Mr. Harris. Not in the last year, sir, though we constantly \nare threatened by them, but no breaches to my knowledge.\n    Chairman Chaffetz. Not in the last year?\n    Mr. Harris. That is correct, sir.\n    Chairman Chaffetz. How many onsite IT security reviews has \nthe Department conducted to date of the contractors that you \nengage with?\n    Mr. Harris. Our reviews of our contractor are actually \nconstant. We have a security operations center, and we have an \nIV&V contractor that are working daily to review everything \nthat our contractor is doing.\n    Chairman Chaffetz. Ms. Tighe, what is your view of that?\n    Ms. Tighe. I'm aware ----\n    Chairman Chaffetz. Sorry, your microphone.\n    Ms. Tighe. I'm aware that the Department is taking those \nactions. Some parts--I would also point out that some parts of \nthe Department and systems the Department deals with have--and \nit's external business partners like the Title IV services do \nget IT general controls reviews every year because they feed \ninto the financial statement audits. So we do have some level \nof assurance outside of the Department that some--that there is \nsome IT reviews being done of the Department systems.\n    Chairman Chaffetz. All right. Last questions before I \nrecognize Mr. Palmer here, departmental policy requires that \nall employees and contractors who have access to Privacy Act \ndata have a minimum of a 5c public trust background check, but \nit is also my understanding that roughly less than 5,000 of the \npeople who have access have actually had such a background \ncheck, which leaves us in the math roughly 85,000 individuals \nwho have had no background check have access to personal \ninformation in your databases. Would you disagree with any of \nthose numbers? And what are you doing about it?\n    Mr. Harris. I would not disagree with that information, \nsir.\n    Chairman Chaffetz. So if it is departmental policy to have \nbackground checks for people who have--remember, we are talking \nabout mostly--these are student loans, right? We are talking \nabout students and kids here. So when you are talking about \naccess to private information and it is departmental policy to \nhave a background check, and yet 85,000 of them don't have \nbackground check, what are you doing to solve that?\n    Mr. Harris. Sir, I don't believe that includes the \nindividuals who have access to their own information. So the \n85,000 you mention aren't system operators who are actually \nlooking at PII. For example, if we have a student looking at \ntheir own information, they do not need a 5c clearance.\n    Chairman Chaffetz. Well, no, that number is in the tens of \nmillions of people if not hundreds of millions of people. If \nthey are looking at their own information, I am not counting \nthat. I am talking about people who have access into the system \nto go look and fish around. And, Ms. Tighe, can you provide \nmore information about that?\n    Ms. Tighe. Well, I believe that there are--with access to \nthe National Student Loan database, just taking that database, \nthat there are--our numbers that there are about 97,000 \naccounts. This is not--these are non-student accounts. Fifty-\nfive thousands of those, we should all realize, are at \ninstitutions of higher education because all the financial aid \nofficers in every college and university or other school that \nreceives Title IV funding has to access our databases. And I \nthink that is the biggest area where you're not seeing the \nbackground investigations unless that particular college or \nuniversity requires it themselves. But there are other people \nwho access who have accounts. They're the Title IV servicers, \nthe debt collection entities. There's 22 of those and other \nassorted people who touch our systems.\n    Chairman Chaffetz. And we know how integrity-failed the \ndebt collection services people are, so, you know, no need for \na background check there. That is departmental policy. I need \nyou to get back to us as to what you are doing to rectify that. \nIt is, I think, a huge vulnerability because these are people \nthat are authorized. They have the authentication to get in \nthere, look around, see the personal identifiable information \nand yet have not had the required background check.\n    Mr. Harris. I will do that, Mr. Chairman.\n    Chairman Chaffetz. Thank you. I have gone well past my \ntime.\n    I will recognize the gentleman from Alabama, Mr. Palmer, \nfor 5 minutes.\n    Mr. Palmer. Thank you, Mr. Chairman.\n    I want to follow up on the question the chairman raised, \nDr. Harris, about EINSTEIN. During the IG penetration testing \nof EDUCATE, why didn't you detect they were on your servers?\n    Mr. Harris. Currently, as I indicated, we have implemented \nNAC. The full implementation, however, is not complete, and we \nplan to complete that this fiscal year.\n    Mr. Palmer. So you are saying ----\n    Mr. Harris. And I do believe we will be able to see that \nactivity then.\n    Mr. Palmer. Now, I am asking why you didn't detect it when \nthey were on your servers at the time they were doing the \npenetration testing.\n    Mr. Harris. We didn't have the tools completely configured.\n    Mr. Palmer. Okay. What tools are you missing?\n    Mr. Harris. We're not missing any. We just don't have them \ncompletely configured. For example, NAC has been implemented \nbut there's a lot of configure work--configuration work that \nneeds to be done for full implementation.\n    Mr. Palmer. So you have the tools but you are not able to \napply them?\n    Mr. Harris. We haven't finished the--we haven't completed \nthe configuration of it ----\n    Mr. Palmer. How ----\n    Mr. Harris.--but we plan to do that this fiscal year.\n    Mr. Palmer. You should have it done by the end of this \nfiscal year or the calendar year?\n    Mr. Harris. By the fiscal year, sir.\n    Mr. Palmer. So they will be complete by September 30 of \n'16?\n    Mr. Harris. Sir, I'm hoping to complete them by the end of \nthe third quarter, not September 30.\n    Mr. Palmer. Okay. So that would be ----\n    Mr. Harris. And we're aggressively working to actually do \nit sooner than that.\n    Mr. Palmer. All right. They will be finished by the end of \nJune?\n    Mr. Harris. That is correct.\n    Mr. Palmer. Okay. Thank you. Dr. Harris, according to the \nFederal IT Dashboard, DOED central processing system carries \nout data matching with at least five different agencies and \ninterfaces with DOED's Participation Management, Common \nOrigination system, and Virtual Data Center. What is the nature \nof this understanding between agencies?\n    Mr. Harris. Beyond the sharing of data, that really is the \ntotality of that understanding. We share sensitive data. We \nshare important data with which to do better data processing on \nboth sides.\n    Mr. Palmer. Well, CPS is not PIV-enabled, and if it were to \nbe breached, an adversary would have access to sensitive \npersonally identifiable information and data that multiple \nagencies rely on. Can you tell me what security measures are in \nplace to protect the CPS system?\n    Mr. Harris. I apologize, sir. I don't have operational \noversight of that system and have limited knowledge, but I can \ncertainly get you more information on that.\n    Mr. Palmer. Who has that information?\n    Mr. Harris. The Federal Student Aid CIO.\n    Mr. Palmer. Okay. One last question, do you allow employees \nto use your server to access their personal email?\n    Mr. Harris. Currently, we do, sir.\n    Mr. Palmer. Is that not of concern to you on that ----\n    Mr. Harris. It--I'm sorry, sir.\n    Mr. Palmer. Well, we have had other hearings on this when \nwe were dealing with the breach at OPM, and it turns out that \nthe immigration, ICE, had sent out a memo to their employees \nthat they could no longer use the Federal server because they \nhad multiple breaches, and it turns out that there was a union \ngrievance filed and they weren't able to deny their employees \naccess to their server. And it appears that that is where one \nof the breaches occurred. I just wonder, as the chairman points \nout, the enormous number of records that could be accessed, if \nyou are taking any measures to prevent that.\n    Mr. Harris. It's an interesting question, Representative \nPalmer, and it's one that does concern me. We actually met with \nOMB and DHS to talk about the risk level of allowing that kind \nof access. I think the CIO counsel is going to spend more time \ntalking about it, but it is something that concerns me. And \nyou're right, it is a threat factor.\n    Mr. Palmer. Thank you, Mr. Chairman. I yield the balance of \nmy time.\n    Chairman Chaffetz. I thank the gentleman. I will now \nrecognize Mr. Clay of Missouri for 5 minutes.\n    Mr. Clay. Thank you, Mr. Chairman.\n    And, Mr. Wilshusen, the high-risk report GAO released \nearlier this year noted challenges that both the Federal and \nprivate sector face when it comes to securing personally \nidentifiable information. In particular, the 2015 high-risk \nreport pointed to the data breaches at Home Depot and Target as \nexamples of high-profile breaches in the commercial sector. So \nis it fair to say when it comes to the subject of \ncybersecurity, GAO has paid attention to what has been \noccurring in the private sector?\n    Mr. Wilshusen. Yes, it is insofar as these types of \nincidents occur and demonstrate that it isn't strictly--or \ncybersecurity and these intrusions is not strictly a government \nphenomenon.\n    Mr. Clay. Now, I understand that when GAO conducted its \nmost recent FISMA report on Federal agencies, it wasn't tasked \nwith evaluating the private sector. I would like to ask you \nsome questions about challenges facing the private sector based \non your prior work. Are the weaknesses in cybersecurity you are \naware of in the private sector consistent with what GAO found \nwith respect to Federal agencies?\n    Mr. Wilshusen. Our review of information security controls \nat private sector organizations is somewhat limited primarily \nto the work that we do in evaluating the security controls of \nour contractors that support the Federal Government. And what \nwe have found is that those contractors also have security \nvulnerabilities that are consistent with those that we find on \nagency-operated systems.\n    Mr. Clay. So do you think the Federal Government is ahead \nof the private sector when it comes to cybersecurity?\n    Mr. Wilshusen. I don't know if I could say that. One thing \nthat I could say is that at least the Federal Government, and \nparticularly in respect to the types of information security \npolicies and guidance that are promulgated by the National \nInstitute of Standards and Technology is among the best and are \nsometimes used by private sector organizations.\n    Mr. Clay. Okay.\n    Mr. Wilshusen. So we do a pretty good job in identifying \npolicies and procedures. Where we're challenged is implementing \nthem in our information systems controls environments over time \nthroughout the entire enterprise.\n    Mr. Clay. Ms. Tighe, would you have anything to add?\n    Ms. Tighe. No. I would agree that NIST provides very \nsignificant and complete guidelines for IT--in the area of IT \nsecurity. The challenge is getting them implemented.\n    Mr. Clay. Thank you. And, Dr. Harris, anything additional?\n    Mr. Harris. I would absolutely concur. In fact, as we work \nwith some of our private sector partners, we see that they \ndon't use standards as stringent as those that NIST provides.\n    Mr. Clay. Thank you all. Thank all of you for your \nresponses. May I yield the balance of my time to the ranking \nmember?\n    Mr. Connolly. I thank my colleague. By the way, I will \nthrow you a lifeline, Dr. Harris. We have talked a lot of about \nFSA, but it was Congress acting on the recommendations of a \nprevious administration that actually made FSA a PBO, a \nperformance-based organization, and even referred to it as--FSA \nis generally siloed from the rest of the Department of \nEducation, although its chief operating officer reports to the \nSecretary of Education, as Dr. Harris testified.\n    So it is Congress in legislation that we passed in 1997 on \na bipartisan basis, our former colleagues Howard ``Buck'' \nMcKeon and Dan Kildee who actually authored H.R. 2536 that did \nthat. So we now need, because of the passage of FITARA, frankly \nto square those two. And I think the current Congress would \nfavor the FITARA approach and maybe look a little askance at \nsiloing anything in light of technology progressing and the \nthreat we are facing.\n    If the chair would just indulge me one question and then I \nam done ----\n    Chairman Chaffetz. Sure. Yes.\n    Mr. Connolly.--if Mr. Mulvaney would--okay. In listening to \nthis hearing, I am not sure we are reassured. We dispute the \n``F'' we get in FITARA. We are not fully aware of these other \nrankings that move us to high risk or yellow to red. Systems \nweren't quite in place when the penetration exercise, according \nto Ms. Tighe, ``we could have gone anywhere'' in that exercise, \nvery alarming. We only have three data centers but we don't \nknow how many our contractors have and we are not really \nentirely responsible for that even though they are in \npossession of data that could be compromised.\n    Certainly, take the point, Dr. Harris, that we need to bulk \nup on the talent pool as much as we do resources, but we need \nboth. We need both. There is no question about it.\n    But at the end of the day, Dr. Harris testified with \nrespect to the question of vulnerability, ``we are reasonably \nsecure now. I don't want anyone to think otherwise.'' I have \ngot to challenge that and I want you, Ms. Tighe, and you, Mr. \nWilshusen, to respond to that. My question is should Americans \nbe concerned that the kind of breach that occurred at OPM \nfrankly could occur with respect to at least 50 million \nAmericans whose data is in the hands of the Department of \nEducation? I am not leaving this hearing feeling that we are \nreasonably secure now. Professionally, is that your judgment? \nDo you share Dr. Harris's confidence that we are reasonably \nsecure now?\n    Ms. Tighe. I am still concerned about the potential for \nbreaches in the Department. I think that the issues we pointed \nto in our current FISMA report, particularly under the areas of \nconfiguration management and under incident detection are very \nsignificant, and they really point to the potential for \nsignificant vulnerabilities. There was also the issue on the \nmainframe in Georgia operated by a subcontractor that we were \nnot even able to properly evaluate. And we found privileged \nusers with permissions not appropriate. That stuff worries me, \nand I don't feel, you know, as rosy about the picture as Dr. \nHarris. With all that said, I know the Department is working on \nthese things.\n    Mr. Wilshusen. I would defer to Ms. Tighe in her assessment \nbut also just comment on the types of weaknesses that she and \nher team identified at Education as being those types of \nvulnerabilities that can be exploited and can be used to gain \naccess and even, you know, potentially hide an intruder's \npresence on a network.\n    Mr. Connolly. I thank the chair and I thank Mr. Mulvaney \nfor his courtesy.\n    Chairman Chaffetz. I will now recognize the gentleman from \nSouth Carolina, Mr. Mulvaney.\n    Mr. Mulvaney. I thank both the gentleman. And I have just \ngot a couple of mopping-up questions here at the end so in no \nparticular order.\n    Mr. Harris, you mentioned a couple different times talent, \nwhich is something we don't hear much in here. Ordinarily, \npeople come in and complain they don't have enough money. I \nhave not heard that one before. Let me ask you this. Do you not \nhave access--my understanding was that in other areas of the \nFederal Government we have some really, really good people \nworking on IT. Do you not have access to their expertise and \ntheir subcontractors and their experiences?\n    Mr. Harris. Thank you so much for the question, \nRepresentative Mulvaney.\n    I'm so glad you raised it because you do have talent across \nthe Federal space, in, fact one of the things I am hoping that \nthis body will help with is actually centralizing some of that \ntalent so a small agency like the Department of Education can \nget more help. But what the Federal--what the private space is \npaying we simply can't match that, and in a lot of instances, \nfolks don't see the Department of Education as an exciting \ncyber space to go to. So we're very challenged when we compete \nwith other Federal agencies, as well as the private space. So \nwe are really hurting from that perspective.\n    Mr. Mulvaney. And that is sort of what worries me is that \nbecause you are not exciting, people actually might be \nattracted to you in terms of being a target.\n    Ms. Tighe, I come back to something you said earlier \nabout--and I am going to butcher the numbers--97-odd-thousand \nusers, and you made an excellent point, which is that there is \nsomeone in the registrar's office at G.W. who has access to \nthis system. Let me ask you this. If I am sitting there and I \nam at G.W. and I am the, you know, little part-time student who \ncomes in to work on the FAFSA stuff, what do I need in order to \nget Mr. Chaffetz's student loan information?\n    Ms. Tighe. Well, you need his--most financial aid \nadministrators--well, you probably need him to either have gone \nto G.W. University ----\n    Mr. Mulvaney. Okay.\n    Ms. Tighe.--or put that as one of his schools on his \napplication. So ----\n    Mr. Mulvaney. Okay ----\n    Ms. Tighe.--they have a more limited purview than they ----\n    Mr. Mulvaney. All right. So if I am sitting there ----\n    Ms. Tighe.--have access to.\n    Mr. Mulvaney.--and I am the person at G.W. who is--and I \nhate to pick on G.W. but I went to Georgetown ----\n    Ms. Tighe. Or his Social.\n    Mr. Mulvaney. Yes. I went to Georgetown so I love to pick \non G.W.\n    Ms. Tighe. Yes.\n    Mr. Mulvaney. You are telling me I can only gain access to \npeople who have actually either gone to G.W. or checked that on \none of their FAFSA forms?\n    Ms. Tighe. Yes, unless they, for whatever reason, would \nhave their Social Security number.\n    Mr. Mulvaney. And that was my next question ----\n    Ms. Tighe. Yes.\n    Mr. Mulvaney.--which is if I have Mr. Chaffetz's Social \nSecurity number and he is in the system, I can get him, can't \nI?\n    Ms. Tighe. That's my understanding.\n    Mr. Mulvaney. So that means that if I am able to acquire \nthat Social Security number from any other source and I have \naccess to your system at tens of thousands of terminals, I can \nget just about anything?\n    Ms. Tighe. That's correct.\n    Mr. Mulvaney. Now, let me drill down on that a little bit. \nWhat is ``just about anything'' because when I--I got a little \nnotice from I think it was Target--my wife did--saying that \nthey had been hacked. I get all that. That is right. That \ndoesn't bother me too much. I think we use the same credit card \nthere and I don't use anything else at Target. If you hack into \nMr. Chaffetz's records at the Department of Education, what \ntype of information can you get on him?\n    Ms. Tighe. Well, you can--obviously, you can get the \nfinancial information reported in the application for Federal \nStudent Aid and ----\n    Mr. Mulvaney. Does that include his parents' income?\n    Ms. Tighe. Yes, it does.\n    Mr. Mulvaney. Does it include any bank account information? \nWe didn't have these forms when I was in school ----\n    Ms. Tighe. Do we--is it ----\n    Mr. Mulvaney.--so I am not really sure ----\n    Ms. Tighe.--bank account information? Yes. I think--believe \nthere is banking information.\n    Mr. Mulvaney. What about stocks and bond account \ninformation?\n    Ms. Tighe. I wouldn't think that would be available.\n    Mr. Mulvaney. Okay. All right. What else can you get just \nout of curiosity?\n    Ms. Tighe. Let me get back to you on a full accounting ----\n    Mr. Mulvaney. Okay.\n    Ms. Tighe.--of what the--is available.\n    Mr. Mulvaney. And I hope I am making my point, which is \nthat when Target got hacked ----\n    Ms. Tighe. Yes.\n    Mr. Mulvaney.--I didn't lose a lot of concern over it. If \nsomeone had my bank account records, that might--including, I \nguess, account numbers because I guess you all at some point \nverify that information or can ----\n    Ms. Tighe. Well, there is information related to the \nstudents'--for disbursements as student aid, you know, moving \nmoney into the students' bank accounts.\n    Mr. Mulvaney. Sure. Okay. And I am sorry; I lost track of \nwhere I was going after that. So I would be happy to yield to \nthe chair whatever 40 seconds I have left. But I thank you all \nfor your information and looking forward to going forward.\n    Chairman Chaffetz. If the gentleman will yield, there are \nlifetime loan limits, right? So talk to the scope of time here \nthat we are talking about.\n    Ms. Tighe. My understanding is in the National Student Loan \ndatabase is that once you get money, your information is kept \nin there for--like I don't think there's a deadline or cutoff \nfor when that information gets moved because there are \nstatutory limits on the amount of student aid one can take so \nthey have to keep track of it over a lifetime. So they--it's--\nthe information is retained for a very long time.\n    Chairman Chaffetz. And how many people in that database?\n    Ms. Tighe. There are, I think, currently about 85--at least \nsomewhere over 75 million student accounts or student account \ninformation.\n    Chairman Chaffetz. And in addition to that, there are other \nindividuals, right? So how many individuals are we ultimately \ntalking about?\n    Ms. Tighe. Well, Student Loan database--the National \nStudent Loan database will have just students who get financial \naid. There are other systems the Department has like the CPS \nsystem where you will have the parent information also.\n    Chairman Chaffetz. So how many Americans? What is the grand \ntotal of number of Social Security numbers--we had ----\n    Ms. Tighe. Well, the 130--we--by our count from the OIG's \nestimation of looking at the Department's databases we have \nover 139 million unique Social Security numbers. And that's \njust in the student loan application and the PIN registry \nsystems.\n    Chairman Chaffetz. Does the gentleman yield back?\n    Mr. Mulvaney. Yes, sir.\n    Chairman Chaffetz. In wrap-up here, I want to address \nsomething just to clarify. You have a responsibility, Ms. \nTighe, as the inspector general to be able to go in and look at \nthe contractors and the subcontractors, but you have had \ndifficulty gaining access to some of those systems, \nspecifically the COD or the Common Origination and Disbursement \nsystem. Have you been able to look at that system?\n    Ms. Tighe. No, we were not able to. We included the \nmainframes of the Department as part of our testing this year. \nTwo of those mainframes are at the Virtual--the VDC, the \nVirtual Data Center. One of them is in Columbus, Georgia, and \noperated by a company called TSYS under a subcontract with the \nFederal Student Aid organization. We entered into an agreement \nwith them that outlined everything we needed. We gave them a \ntimetable.\n    They did not by any stretch of the imagination meet that \ntimetable, and in the end, they were not able to provide us \nvery critical information for us to do a full vulnerability \ntesting. They limited our information in the end to the \neducation environment. The problem is that mainframe in Georgia \nis a shared environment with their private customers.\n    And I understand their reluctance, but the fact remains is, \ngiven the problems we found with what--just what they were able \nto provide us, seeing privileged users that had excessive \npermissions and the like, I worry about what other users we \nwere not able to see have access to in our data.\n    Chairman Chaffetz. Well, we want to be supportive of the \ninspector general community and the good people at TSYS. Is \nthat their name? They are about to get a nasty-gram from the \nUnited States Congress, and we will use every power we have to \nyank them up here and make sure that you get the access to that \ninformation so ----\n    Ms. Tighe. I appreciate it.\n    Chairman Chaffetz.--the folks down there can look forward \nto that. We are going to make sure you have the access you \nneed.\n    Mr. Harris, last bit of questions. Talk to me about how \ndilapidated, outdated some of the operating systems software \nthat you are having to deal with. Do you use a COBOL, for \ninstance?\n    Mr. Harris. No, sir, we do not use COBOL.\n    Chairman Chaffetz. Do ----\n    Mr. Harris. On the FSA side I'm not sure if they still have \nany COBOL-based systems, but I can get that information for \nyou.\n    Chairman Chaffetz. But all the other systems, you are not \naware of any ----\n    Mr. Harris. Do not use COBOL, sir, no.\n    Chairman Chaffetz. Do you use DOS or what ----\n    Mr. Harris. No, sir. We're primarily a Windows-based. We \nuse a lot of Linux, Unix. However, it's not just the operating \nsystem; it's the version.\n    Chairman Chaffetz. Sure.\n    Mr. Harris. When you get past N minus 1 and the vendor is \nno longer patching it, you have a problem.\n    Chairman Chaffetz. So how old--what Windows operating \nsystems are you using? And it is probably a whole gambit, \nright?\n    Mr. Harris. It's a gambit.\n    Chairman Chaffetz. How old is the worst? I mean if you were \nto walk around say, oh, my goodness ----\n    Mr. Harris. It's--probably the worst would probably be five \nversions old.\n    Chairman Chaffetz. So like what is that, Windows 95, 97?\n    Mr. Harris. Probably 97.\n    Chairman Chaffetz. Ninety-seven still? And they are not \neven servicing that at Microsoft anymore?\n    Mr. Harris. That is correct. That is correct.\n    Chairman Chaffetz. So there are no security patches being \nupdated? The ----\n    Mr. Harris. Not for those, sir, but to be fair, many of the \nsystems using those operating systems do not have sensitive \ndata. I don't want to suggest that there is student information \nsitting on systems that use Windows 97 but ----\n    Chairman Chaffetz. Understood, but ----\n    Mr. Harris.--these are OSs.\n    Chairman Chaffetz. But you feel for the employee, who is \ntheir good, patriotic, hardworking ----\n    Mr. Harris. Sure.\n    Chairman Chaffetz.--employee who is going into work trying \nto negotiate a Windows 97 operating system as opposed to \nsomething a little bit more up-to-date.\n    Listen, this has been very productive. I appreciate all the \nwork that not only the three of you individually do but that \nyour organizations do. We have got a lot of good people who try \nto do the right thing, they work hard, and I want to carry back \nthat, you know, how much we care and appreciate them and what \nthey do from the GAO to the inspector general to the Department \nof Education.\n    That is the beauty--and I say this often in this committee. \nThe beauty of the United States of America is that the Congress \ndoes ask hard questions. That is what we are supposed to be \ndoing. That is what makes us unique in this country is we hold \npeople accountable, we ask hard questions, and we have the good \ndialogue back and forth.\n    So I appreciate the attitude and approach, Mr. Harris, that \nyou have had here, but we do ultimately want to not only be the \nOversight Committee but the Government Reform Committee. To the \nextent we can help you with these issues, we want to do that.\n    Mr. Connolly. And, Mr. Chairman ----\n    Chairman Chaffetz. Happy to yield.\n    Mr. Connolly.--we do have--thank you, Mr. Chairman. We do \nhave a legislative item that sooner or later we are going to \nhave to review, and that is this apparent conflict between what \nFITARA is trying to get at, which is to enhance Dr. Harris's \nauthority and responsibility, and the older legislation from \n1997 that may have been appropriate when Windows 97 was still \noperating, but we also need to upgrade our own legislative \nmandate because Dr. Harris is handicapped by statute. And we \nmay have to address that ----\n    Chairman Chaffetz. And that is where I think the E-\nGovernment Act of 2002 is actually what we should be looking \nat, but I look forward to working with you because ----\n    Mr. Connolly. Yes.\n    Chairman Chaffetz.--you should have not only the \nresponsibility but the authority, and there should be no \ndiscrepancy there. And we will work with you on that.\n    Again, appreciate the participation of all the members. The \ncommittee stands adjourned.\n    [Whereupon, at 11:51 a.m., the committee was adjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                 [all]\n</pre></body></html>\n"